Home > Success Center > Database Performance Analyzer (DPA) > Configure DPA to use a custom certificate for SSL/TLS using keytool

Configure DPA to use a custom certificate for SSL/TLS using keytool

Updated February 8, 2017

Overview

By default, DPA 9.2 and later automatically generates a self-signed certificate that is used to establish secure communication over HTTPS. This article describes how to replace the self-signed certificate with a custom certificate using keytool, a Java application.

This is a custom configuration not officially supported by SolarWinds. The support team cannot help you configure your certificate.

Before you begin, you must contact your administrator to determine the certificates required for your environment.

Environment

  • DPA 9.2 and later

Steps

If you have a Java KeyStore (JKS) file from your administrator, you can rename it to .keystore and skip to step 2. SolarWinds recommends renaming the alias for the server certificate in the keystore file by running the following commands:

Description Command
List all certificates stored in keystore file keytool -list -v -keystore <YOUR_KEYSTORE_FILE>

Identify certificate for your DPA server and use its alias name as <OLD_ALIAS_NAME>

Rename certificate alias <OLD_ALIAS_NAME> to tomcat

keytool -changealias -alias "<OLD_ALIAS_NAME>" -destalias "tomcat" -keypass <CERTIFICATE_KEY_PASSWORD> -keystore <YOUR_KEYSTORE_FILE> -storepass <KEYSTORE_PASSWORD>

Default passwords are changeit.

If you do not have a JKS file from your administrator, follow these steps:

  1. Create a keystore containing the newly generated private/public key pair.
    keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore .keystore -storepass <KEYSTORE_PASSWORD> -keypass <CERTIFICATE_KEY_PASSWORD> -dname "CN=<HOST_NAME>,O=<ORGANISATION>,L=<LOCATION>,ST=<STATE>,C=<COUNTRY>"
    
    Notes:
    • You can choose the specific domain name (dpa.yourdomain.com) or use a wildcard character (*.yourdomain.com).
    • Default passwords are changeit.

     

  2. Generate a certificate-signing request.
    keytool -certreq -keyalg RSA -alias tomcat -keystore .keystore -file <DPA_CERT_REQUEST_FILE> -storepass <KEYSTORE_PASSWORD>
    
  3. Ask your certificate authority (CA) to sign your request file, <DPA_CERT_REQUEST_FILE>. You should then recieve the file containing a signed certificate from your CA.
  4. Get the files with the trusted certificate chain from your CA.
    • Ensure that every certificate of the chain is in separate file. A file containing more certificates is not supported.
    • Start from the root CA certificate and progress down the chain. Typically this means importing the root CA certificate and one or more intermediate certificates.
  5. Import certificates from the trusted chain into your keystore.
    keytool -import -alias <ALIAS> -keystore .keystore -trustcacerts -storepass <KEYSTORE_PASSWORD> -file <CERTIFICATE_CHAIN_FILE> 
    

    If you receive the following error message, ask your CA where to get these file.

    keytool error: java.lang.Exception: Input not an X.509 certificate => chain certificate has to be in separate files

  6. Import the signed certificate from your CA to your keystore.
    keytool -import -alias tomcat -keystore .keystore -storepass <KEYSTORE_PASSWORD> -file <DPA_SIGNED_CERT_FILE>
    
  7. Place the .keystore file into the <DPA-dir>/iwc/tomcat/conf/ directory.
  8. If you did not use the default password (changeit), edit the server.xml file and add these attributes to the tomcat connector:
    keystorePass=<KEYSTORE_PASSWORD> keyPass=<CERTIFICATE_KEY_PASSWORD>
    
  9. Restart the DPA server.

Troubleshoting

If your browser warns about an insecure connection, show the certificate information in your browser.


NET::ERR_CERT_COMMON_NAME_INVALID, SSL_ERROR_BAD_CERT_DOMAIN

The requested host name does not match the certificate of the server.

Ensure that the certificate CommonName contains host name of the DPA server.


NET::ERR_CERT_AUTHORITY_INVALID, SEC_ERROR_UNKNOWN_ISSUER

The keystore used for import must be the one that was used to generate the CSR.

Use the same keystore file (.keystore) in all steps.

You must to post a comment.
Last modified
17:00, 17 Apr 2017

Tags

Classifications

Public